Recovery control method for vehicle control system

ABSTRACT

An appropriate recovery process is made possible according to the situation of a power supply anomaly. When a system reset occurs, a storage unit stores an operation state of a system immediately before the reset in an operation state memory and also stores a recovery mode determined according to the stored operation state in a recovery mode memory. At the beginning of the recovery process, a necessary process is performed according to the stored recovery mode. Each time the recovery process is performed, a recovery counter performs enumeration and a normal-operation-time timer counter enumerates a normal operation time of the system. Such processes as a system halt and an engine recovery are performed according to the enumerated value and the normal operation time enumerated by the counters.

This is a continuation of International Application No.PCT/JP2004/006634, filed May 17, 2004.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method of controlling an operationrecovery for various electronic devices, apparatus, or the like when asystem reset occurs because of an anomaly in the electronic devices, theapparatus, or the like. More particularly, the invention relates to arecovery control method for a vehicle control system.

2. Description of the Related Art

In an electronic control system, when a system reset is performed dueto, for example, a power supply anomaly that triggers the system reset,it is desirable to quickly recover the state immediately before theanomaly occurred. An apparatus that is configured from this viewpoint ispublicly known and well known. The apparatus is provided with a backupmemory for storing various data related to operations of the system, andis configured so that it can distinguish the stored data between beforean update of the stored data and after the update, to facilitateselection of the stored data necessary at the time of recovery and tomake a smooth recovery process possible (for example, seeJP-A-7-175501).

In such an apparatus, it is typical that a system halt or a system resetis performed once such an anomaly occurs in which power supply voltagebecomes less than a predetermined reference voltage, for example.However, depending on the system, there are cases in which it may beconvenient not to perform the system halt immediately when a powersupply anomaly occurred only one time, with such a system that the powersupply anomaly occurs a plurality of times with a cycle that is uniqueto the system. For example, with such an apparatus as a vehicle controlsystem, an accurate recovery process according to the frequency ofoccurrence, the cycle of occurrence, and the like, of power supplyanomalies is desired.

SUMMARY OF THE INVENTION

The present invention has been accomplished in view of the foregoingcircumstances, and provides a recovery control method for a vehiclecontrol system that enables an appropriate recovery process according tothe situation of power supply anomalies.

According to an embodiment of the invention, there is provided arecovery control method for a vehicle control system, comprising:

sequentially storing operation states of the vehicle control system;referencing the stored content at a time of starting the vehicle controlsystem; and, if it is determined that a previous system operation hasnot ended normally, performing a recovery process in a recovery modethat has been determined in advance according to an operation state ofthe system operation immediately before the termination.

When performing a recovery process, it is made possible with such aconfiguration to reference a system operation immediately before thepower supply anomaly occurs that triggered the recovery process, andmoreover, to select a recovery process that is determined according tothe system operation. Therefore, an appropriate recovery process can beperformed quickly according to the situation of the anomaly.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a configuration diagram illustrating a configuration exampleof a vehicle control system according to an embodiment of the invention.

FIG. 2 is a main flowchart illustrating a control process procedureexecuted during a normal operation time of the vehicle control systemshown in FIG. 1.

FIG. 3 is a flowchart illustrating a control procedure in the case wherea recovery process is performed in the vehicle control system shown inFIG. 1.

FIG. 4 is a flowchart illustrating a specific processing procedure ofthe recovery counter process shown in FIG. 3.

FIG. 5 is an explanatory view for illustrating a normal operation time,a time determining threshold value, and a weight determining threshold,in a vehicle control system according to an embodiment the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinbelow, an embodiment of the invention is explained with referenceto FIGS. 1 through 5.

It is to be understood that the members, arrangement, and so onexplained below are not to limit the present invention, and variouschanges and modifications can be made within the sprit and scope of thepresent invention.

First, a configuration example of the vehicle control system in apreferred embodiment of the invention is described with reference toFIG. 1.

This vehicle control system comprises, as its main components, a controlunit (denoted as “CPU” in FIG. 1) 101, a storage unit (denoted as “MEM”in FIG. 1) 102, a recovery circuit (denoted as “REC” in FIG. 1) 103, adisplay unit (denoted as “DSP” in FIG. 1) 104, and anoperation-state-memory clearing interface (denoted as “CLR-I/F” inFIG. 1) 105.

The control unit 101 is for executing a recovery control as will bedescribed later, and such a control unit 101 may specifically beimplemented by, for example, a microcomputer and software. In theembodiment of the invention, this control unit 101 incorporates arecovery control routine, which will be described later with referenceto FIGS. 2 through 5, and other general control routines that arenecessary for vehicle controlling.

The storage unit 102 stores various data and the like. In the embodimentof the invention, it includes an operation state memory 1, a recoverymode memory 2, a recovery memory 3, and a normal operation time memory 4according to the types of data to be stored. In a later describedprocessing procedure of recovery controlling, an explanation will begiven as needed about what kind of data these memories 1 to 4 store.

In addition, although this configuration example illustrates aconfiguration example in which separate respective memories areprovided, it is of course possible to use one single memory divided intofour separate sections. Also, for all the memories, it is suitable touse a nonvolatile memory that is capable of retaining stored contentseven when a power supply voltage is cut off.

The recovery circuit 103 comprises a counter that is necessary toperform later-described recovery controlling. In the embodiment of theinvention, it is provided with two components, a recovery counter 5 anda normal-operation-time timer counter (denoted as “OPE-COUNT” in FIG.1).

The recovery counter 5 is for enumerating how many times the recoveryprocess was performed and the vehicle control system was recovered.

The normal-operation-time timer counter 6 is for counting a time of anormal operation time of this vehicle control system, as will bedescribed later.

It should be noted that although the recovery circuit 103 in theembodiment of the invention is implemented as a hardware component, itis of course possible to implement the recovery circuit 103 by asoftware component using a publicly-known/well-known counter program inthe control unit 101.

The display unit 104 has a publicly-known/well-known configuration fordisplaying various necessary characters and symbols according to theoperation state of this vehicle control system.

The operation-state-memory clearing interface 105 is for erasing all thestored contents in the operation state memory 1. More specifically, itis suitable to use one using an on/off switch so that the contents ofthe operation state memory 1 are cleared when the switch is turned on,for example.

Next, a processing procedure of the recovery controlling executed by thecontrol unit 101 in the foregoing configuration is explained withreference to FIGS. 2 through 5.

First, with reference to FIG. 2, the overall control processingprocedure of this vehicle control system is explained. FIG. 2illustrates, in particular, a main routine of the recovery control inthe vehicle control system.

Upon starting the process by turning on a ignition switch (not shown) ofa vehicle, it is determined first whether or not there is a record of anoperation state in the operation state memory 1 (step S2001 in FIG. 2).Here, first of all, the operation state memory 1 in the embodiment ofthe invention is configured so that an operation state of the vehiclecontrol system immediately before a system reset occurrence is storedtherein and, if the system is terminated and halted normally, the stateindicating that is written therein.

Accordingly, the judgment on whether or not there is a record of anoperation state of the operation state memory 1 immediately after theignition switch is turned on corresponds to determining whether or notthe system operation before the ignition switch has been turned on hadbeen terminated normally.

Then, if it is determined that there is a record of an operation state(if YES) in this step S2001, the flow proceeds to a later-describedprocess of step S3000, because it means that the system was not normallyhalted and terminated in the previous system operation and a systemreset was performed. In other words, in the embodiment of the invention,it is assumed that such a system reset is performed because a powersupply anomaly has been occurred.

On the other hand, if it is determined that there is no record ofoperation state (if NO) in step S2001, the counting of thenormal-operation-time timer counter 6 starts and the flow proceeds tothe next process of step S2002 because it means that the system has beenhalted and terminated normally in the previous system operation. Itshould be noted that, in the embodiment of the invention, when thecounting of the normal-operation-time timer counter 6 starts, the countvalues that change every moment are sequentially written into the normaloperation time memory 4. In addition, the normal-operation-time timercounter 6 is configured so as to halt inevitably when a power supplyanomaly occurs.

Next, in step S2002, it is determined whether or not there is a changeof operation states.

Specifically, first, the operation states of a vehicle herein means suchstates as “an idle state,” “an acceleration state,” “a cruise state,”“an engine operation state by limp home,” and further “an engine haltstate by recovery.” A change of operation states means a change from acertain operation state into another operation state, among those listedas examples.

Then, if it is determined that there is a change of operation states (ifYES) in step S2002, the changed operation states are stored in theoperation state memory 1 (step S2003 in FIG. 2), and the flow proceedsto the next process of step S2004; on the other hand, if it isdetermined that there is no change of operation states (if NO) in stepS2002, a general process necessary in a normal operation of the vehiclesystem is executed although not shown in the figure, and subsequentlythe flow proceeds to the process of step S2004.

In step S2004, it is determined whether or not the ignition switch,which is not shown in the figure, has been turned off, and until it isdetermined that the ignition switch has been turned off, the foregoingprocess that follows step S2002 is repeated. Then, in step S2004, if theignition switch has been turned off (if YES), a halt preparation processthat is necessary for halting the system operation is performed,although it is not shown in the figure. Subsequently, the stored data inthe operation state memory 1 are erased, and a predetermined stateindicating that the system has been halted normally is written into theoperation state memory 1 (cf step S2005 in FIG. 2).

Subsequently, the recovery counter 5 is cleared (step S2006 in FIG. 2),and the system is halted (cf. step S2007 in FIG. 2), completing a seriesof processes.

Next, a process that is performed if it is determined that there is arecord of an operation state in the operation state memory 1 in thepreviously-described step S2001 (if YES) is explained with reference toFIGS. 3 and 5.

First, a recovery counter process is performed (step S3000 in FIG. 3).This recovery counter process is a sub-routine process in which anenumerated value of the recovery counter is weighted according to thecondition of power supply voltage anomaly in the vehicle control system,the details of which are illustrated in FIG. 4.

Hereinbelow, this recovery counter process is explained with referenceto FIG. 4.

Upon starting the recovery counter process, the stored contents in thenormal operation time memory 4 are referenced first (step S5000 in FIG.4). Here, the normal time operation memory 4 stores a time indicatinghow long the system had been operating normally until the system resetoccurred.

Then, the normal operation time stored in the normal operation timememory 4 is read out, and it is determined whether or not the normaloperation time is greater than a weight determining threshold value (afirst reference value) (step S5001 in FIG. 4).

Here, an explanation is given concerning the normal operation time, theweight determining threshold, and a next-described time determiningthreshold value in step S5002 in the embodiment of the invention withreference to FIG. 5.

In FIG. 5, the horizontal axis is a time axis, which represents anelapsed time from the start of the system, in other words, from thestart of the enumeration by the normal-operation-time timer counter 6(at the point of time “0” in FIG. 5).

The “time determining threshold value” (Tth) is a time point at which arelatively short time has elapsed from the start of the system. It ispreferable that this time determining threshold value (a secondreference value) is determined based on experimental values in an actualvehicle control system or simulations. In the embodiment of theinvention, a power supply anomaly that occurs within a relatively shorttime from the start of the system is taken as a standard among a varietyof power supply anomalies, and an average time in the case where such apower supply anomaly is set as the time determining threshold value.

In addition, the “weight determining threshold value” (Tw) is a timedetermined based on experimental values in an actual vehicle controlsystem or simulations taking a power supply anomaly that occurs suddenlyafter the system had been operating normally for a long time as astandard.

In the embodiment of the invention, a time from the start of the systemuntil a recovery process is performed due to a power supply anomaly isdefined as a normal operation time.

Here, the discussion returns to the explanation of FIG. 4. If it isdetermined that the normal operation time is greater than the weightdetermining threshold value (if YES) in step S5001, enumeration isperformed in the recovery counter 5, wherein the enumerated value isadvanced by “1” and “1” is added to the stored value in the recoverymemory 3; then, the flow proceeds to the later-described process of stepS3001 (FIG. 3) (step S5004 in FIG. 4). Here, the recovery memory 3 is amemory for storing the number of occurrences of the recovery process.

On the other hand, if it is determined that the normal operation time isnot greater than the weight determining threshold value (if NO) in stepS5001, it is determined whether or not the normal operation time is lessthan the time determining threshold value (step S5002 in FIG. 4). If itis determined that the normal operation time is less than the timedetermining threshold value (if YES), the flow proceeds to the laterdescribed process of step S3001 (FIG. 3) without advancing theenumerated value of the recovery counter 5. On the other hand, if it isdetermined that the normal operation time is not less than the timedetermining threshold value (if NO), in other words, if the normaloperation time is greater than the time determining threshold value butless than the weight determining threshold value, the flow proceeds tothe process of step S5003.

It should be noted here that normal operation time<time determiningthreshold value holds when, for example, power supply anomalies occurperiodically in a very short time but the power supply anomalies resolveas soon as the engine starts to operate, such as when the engine isstarted at a low temperature, and it is preferable that the timedetermining threshold value should be set taking the cycle time ofoccurrence of power supply anomalies in such cases as a standard.

In step S5003, a weighting process of the recovery counter 5 isperformed. That is, the weighting process is a process in which theenumerated value of the recovery counter 5 is advanced further thanusual according to a predetermined criterion, from the viewpoint thatsuch a power supply anomaly that the normal operation time falls betweenthe time determining threshold value and the weight determiningthreshold value is undesirable. Specifically, the following processmethods are suitable. Where an enumerated value at one time should beset at “1” normally, the enumerated value at one time may be set at apredetermined value of “two” or greater, or the enumerated value of therecovery counter 5 immediately before the weighting process may bemultiplied by a predetermined coefficient.

Then, while the weighting process of the recovery counter 5 isperformed, “1” is added to the stored value in the recovery memory 3 atthe same time, and the flow proceeds to the later-described process ofstep S3001 (FIG. 3).

Next, the discussion returns to the description of thepreviously-mentioned FIG. 3. After the recovery counter process isperformed, it is determined whether or not the number of counts (theenumerated value) of the recovery counter 5 is equal to or greater thana prescribed number (step S3001 in FIG. 3). If it is determined that thevalue is equal to or greater than the prescribed number (if YES), theflow proceeds to the process of step S3008. On the other hand, if it isdetermined that the value does not exceed the prescribed number (if NO),the flow proceeds to the process of step S3002.

First, an explanation is given about the case in which it is determinedthat the number of counts of the recovery counter 5 does not exceed aprescribed number. In this case, the flow proceeds to step S3002, andthe content of the recovery mode memory 2 is referenced. Here, theinformation on the previously-described recovery mode according to theoperation state that has been written into the operation state memory 1is written into the recovery mode memory 2. That is, there are a varietyof operation states of the system immediately before the system reset,naturally, and which of the recovery modes is used to recovery thesystem in the recovery process depends on the operation stateimmediately therebefore. Therefore, in the embodiment of the invention,when an operation state is written into the operation state memory 1, arecovery mode determined according to the operation state that has beenwritten into the operation state memory 1 is written into the recoverymode memory 2.

Next, it is determined whether or not the recovery mode written into therecovery mode memory 2 requests recovery of the engine (step S3003 inFIG. 3). If it is determined that there is an engine recovery request(if YES), a process necessary for the engine recovery is performed (stepS3004 in FIG. 3), and the content in the operation state memory 1 iscleared. Meanwhile, the state indicating that the system has been haltednormally is written, and the flow returns to the previously-describedprocess of step S2001 in FIG. 2 (step S3005 in FIG. 3).

On the other hand, if it is determined that there is no engine recoveryrequest (if NO) in step S3003, it is determined whether or not there isa limp home request by referencing the stored content in the recoverymode memory 2 (step S3006 in FIG. 3). It should be noted that the limphome is a publicly-known/well-known function for enabling a vehicle tobe operated to a nearby garage in the case of failure, and therefore,detailed explanation thereof will not be given herein.

Then, if it is determined that there is no limp home request (if NO) instep S3006, the flow proceeds to the process of step S3008. On the otherhand, if it is determined that there is a limp home request (if YES),the fact that the operation state of the system is in a limp home modeis stored in the operation state memory 1, and a limp home mode process,which is not shown in the figure, is performed. In addition, the displayunit 104 indicates that the system has entered a limp home mode.

Next, if it is determined as YES in the previous step S3001, or if it isdetermined as NO in step S3006, it is determined whether or not there isa request for clearing the operation state memory 1 from outside;specifically, for example, it is determined whether or not a request forclearing the operation state memory 1 is made by theoperation-state-memory clearing interface 105 (step S3008 in FIG. 3). Ifit is determined that there is a clear request (if YES), the operationstate memory 1 is cleared. Meanwhile, the state indicating that thesystem has been halted normally is written therein, and the flowproceeds to the later-described process of step S3011.

On the other hand, if it is determined that there is no request forclearing the operation state memory 1 (if NO) in step S3008, theinformation indicating that the system is in a halt state due torecovery is written into the operation state memory 1 (step S3010 inFIG. 3).

Next, a preparation for a system halt is performed (step S3011 in FIG.3), and thereafter, the flow proceeds to step S2007 shown in FIG. 2, inwhich the system is halted. Here, examples of the preparation forhalting the system halt include such processes as resetting peripheralcontrol circuits, which are not shown in FIG. 1, and bringing theprocess into an endless routine to prevent the CPU from running away. Inaddition, the display unit 104 indicates that the system is halted atthis time.

The invention can be applied to an electronic control apparatus forperforming operation control of a vehicle, and is especially suitablefor an apparatus in which such a control is desired that a systemtermination is not performed immediately at only one time of powersupply anomaly occurrence.

The invention employs a configuration in which an operation stateimmediately before a system reset is performed because of a power supplyanomaly and a recovery mode according to the operation state are stored,and the stored content can be referenced at the time of a recoveryprocess; thereby, an accurate recovery process can be performed quicklyaccording to the operation state before the recovery.

Moreover, by employing a configuration in which an anomaly that triggersa recovery process to be executed is monitored with its frequency ofoccurrence and time of occurrence, the following advantages areattained. It becomes possible to avoid an immediate system halt for apower supply anomaly that occurs, for example, periodically at the timeof starting the engine at a low temperature, and to select a system haltor the like at an appropriate time, thus enabling flexible controlling.

1. A control method for a vehicle control system, the method comprising:storing, if a system reset occurs, an operation state of the vehiclecontrol system immediately before the system reset, and storing arecovery mode that corresponds to the operation state of the vehiclecontrol system immediately before the system reset; referencing thestored content at a start of the vehicle control system; performing arecovery process based on the stored recovery mode if a recovery processis to be performed; enumerating and storing a normal operation time thatis measured from a start of the vehicle control system until the systemreset occurs; determining whether or not the stored normal operationtime is greater than a first reference value; performing enumeration bya recovery counter if it is determined that the stored normal operationtime is greater than the first reference value; determining whether ornot the enumerated value of the recovery counter is equal to or greaterthan a preset value; and terminating the vehicle control system if it isdetermined that the enumerated value of the recovery counter is equal toor greater than the preset value.
 2. The control method for a vehiclecontrol system as set forth in claim 1, further comprising: determiningwhether or not the stored normal operation time is less than a secondreference value if it is determined that the stored normal operationtime is less than the first reference value; and performing enumerationby a recovery counter with a predetermined weight if it is determinedthat the stored normal operation time is not less than the secondreference value.